Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Help for placing IDS sensors

from [Eric Hacker] Network Security [Permanent Link]
Subject: Re: Help for placing IDS sensors
Date: Tue, 24 Apr 2007 07:40:18 -0400 
Digvijay,

If this is a new IDS build out and IDS is new to the organization,
then you WILL make mistakes along the way. You should plan to deploy,
learn, redeploy, learn, etc. So don't try too hard to get it right the
first time, just get some deployed.

You don't state what the reasons are for deploying IDS. This is
critical to understanding the best locations. There is no one type of
location that will be ideal for all needs.

If the driving need is compliance of some sort, then its best to ask
those who will be verifying the compliance what they will be looking
for to validate the IDS deployment. Often, the answer is going to be,
"Do you have IDS?",  "Yes",  "Good, ....". If that's the need, then it
will be hard to justify the expense of monitoring the data generated
by 20 or more sensors. Might as well save electricity and focus on
only a few sensors so that the new staff can handle them.

If one is buying many IDS sensors and not adding resources for their
management and monitoring, might as well give up.

To best cover a large network from internal threats, I'd start at the
network layer with a behavioral IDS like Lancope, Mazu, or Arbor.

The only way to get sensors to function "as perfect as inline" is to
have them inline. There are those of us who might argue that inline is
not perfect. For many threats, one would want to isolate the threat as
close to the threat as possible, though one may initially detect the
threat at some distance. Other applications are too critical to be
taken out be an inline false positive. If one doesn't have a good idea
what these applications are going in, then  inline may be hazardous to
one's employment.

Those are all generalizations, I know. You may thing that your network
diagram is specific, but I hope I've illustrated that the network is
only a small part of the overall security monitoring strategy. The
specific locations of sensors must be driven by that strategy for a
successful IDS program.

Regards,
--
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Help for placing IDS sensors, Bob Buel
Next by Date:  response risk measurements, ndubrov
Previous by Thread:  RE: Help for placing IDS sensors, Bob Buel
Next by Thread:  Tomahawk patch for L3 devices, Kowsik
Indexes:  [Date] [Thread] [Top] [All Lists]